Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Fun with tcpdump and hexdump...

Fun with tcpdump and hexdump

Here is some information that I've found/discovered from playing around with packets. The following is presented in an adhoc tutorial style. Hopepully you find it interesting.

tcpdump

Something that I found useful was the ability to actually capture the raw UDP packet using tcpdump utility. In the following example, we'll capture a DNS query packet and save it to a file.

Open up two terminal windows. In one window, type the following:

$ tcpdump udp -e -i eth0 -nn -vvv -c 1 -w dig.raw

The -c 1 option means that we only want to capture a single packet. The -w dig.raw options means that we want to dump the bytes of the packet we receive to dig.raw.

In the other window, type the following:

$ dig @8.8.8.8 www.uga.edu

In the first window, you should notice that tcpdump captured a packet and quit. The contents of that packet are now in dig.raw.

Note: In the commands above, you may need to change eth0 to whatever interface you're actually using.

hexdump

After looking around online and playing with the format strings myself, I came up with some pretty neat ways to display a file using the hexdump utility. You can check out the commands in the other files in this gist. Also, they should work with any file (not just packet dumps).

Good Looking Bytes

The following command will output in three "|"-deliminited columns. The first column is the byte offset. The second column is 8 bytes following that offset, written as unsigned hexadecimal values. The Third column is the same 8 bytes written as ASCII characters. You can change the number of bytes that are displated on each line by changing both occurances of the number 8 in the command with whatever number you wish to use.

$ hexdump -v -e '"%07.1_ax | "' -e '8/1 "0x%02x " " |"' -e '8/1 " %3_c"' -e '"\n"' dig.raw 

The above command produces the following:

      0 | 0xd4 0xc3 0xb2 0xa1 0x02 0x00 0x04 0x00 | 324 303 262 241 002  \0 004  \0
      8 | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 |  \0  \0  \0  \0  \0  \0  \0  \0
     10 | 0xff 0xff 0x00 0x00 0x01 0x00 0x00 0x00 | 377 377  \0  \0 001  \0  \0  \0
     18 | 0x65 0x5c 0x2a 0x51 0x21 0xa6 0x02 0x00 |   e   \   *   Q   ! 246 002  \0
     20 | 0x47 0x00 0x00 0x00 0x47 0x00 0x00 0x00 |   G  \0  \0  \0   G  \0  \0  \0
     28 | 0x00 0x12 0xf2 0xef 0x8b 0x00 0x52 0x54 |  \0 022 362 357 213  \0   R   T
     30 | 0x00 0xdd 0x00 0x11 0x08 0x00 0x45 0x00 |  \0 335  \0 021  \b  \0   E  \0
     38 | 0x00 0x39 0x9b 0xc1 0x00 0x00 0x40 0x11 |  \0   9 233 301  \0  \0   @ 021
     40 | 0x8a 0xc6 0xac 0x11 0x98 0x0b 0x08 0x08 | 212 306 254 021 230  \v  \b  \b
     48 | 0x08 0x08 0xec 0xee 0x00 0x35 0x00 0x25 |  \b  \b 354 356  \0   5  \0   %
     50 | 0x11 0x16 0x5d 0x9d 0x00 0x00 0x00 0x01 | 021 026   ] 235  \0  \0  \0 001
     58 | 0x00 0x00 0x00 0x00 0x00 0x00 0x03 0x77 |  \0  \0  \0  \0  \0  \0 003   w
     60 | 0x77 0x77 0x03 0x75 0x67 0x61 0x03 0x65 |   w   w 003   u   g   a 003   e
     68 | 0x64 0x75 0x00 0x00 0x01 0x00 0x01 0x   |   d   u  \0  \0 001  \0 001    

Note: I like using this one when I diff two packets because it lets me quickly determine which bytes differ.

Simple Byte String

The following command simply displays the byte string for the raw packet contained in dig.raw.

$ hexdump -v -e '1/1 "X%02x"' dig.raw | sed 's/X/\\x/g'

The above command produces the following:

\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00\x65\x5c\x2a\x51\x21\xa6\x02\x00\x47\x00\x00\x00\x47\x00\x00\x00\x00\x12\xf2\xef\x8b\x00\x52\x54\x00\xdd\x00\x11\x08\x00\x45\x00\x00\x39\x9b\xc1\x00\x00\x40\x11\x8a\xc6\xac\x11\x98\x0b\x08\x08\x08\x08\xec\xee\x00\x35\x00\x25\x11\x16\x5d\x9d\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x03\x75\x67\x61\x03\x65\x64\x75\x00\x00\x01\x00\x01

Python 3 Byte String

The following command displays the Python 3 byte string for the raw packet contained in dig.raw.

$ hexdump -v -e '1/1 "X%02x"' digg.pcap | xargs -I{} echo "b'" {} "'" | sed -e 's/\s\+//g' -e 's/X/\\x/g'

The above command produces the following awesome Python3 byte string:

b'\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00\x65\x5c\x2a\x51\x21\xa6\x02\x00\x47\x00\x00\x00\x47\x00\x00\x00\x00\x12\xf2\xef\x8b\x00\x52\x54\x00\xdd\x00\x11\x08\x00\x45\x00\x00\x39\x9b\xc1\x00\x00\x40\x11\x8a\xc6\xac\x11\x98\x0b\x08\x08\x08\x08\xec\xee\x00\x35\x00\x25\x11\x16\x5d\x9d\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x03\x75\x67\x61\x03\x65\x64\x75\x00\x00\x01\x00\x01'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment